Compliance: Keeping Pace, Identifying Goals, Simplifying the Issue
Note: This is the second article on the overall issue of compliance within the payments industry. The first, "Compliance: Challenges in Protecting Cardholder Data," appeared in The Green Sheet, Sept. 27, 2004, issue 04:09:02.housands of pieces of state and federal legislation. Regulatory agency directives. Industry initiatives. Card Association rules. Network regulations. POS terminal, ATM and PIN Entry Device (PED) specifications. Deadlines and industry mandates. How do banks, credit unions, issuers, acquirers, processors, equipment manufacturers, sales agents and merchants, consultants and testing labs keep up with it all?
Compliance has become complicated. No matter where you fall on the spectrum of transaction processing, the reality of doing business these days is that there are many more regulations and restrictions to follow. It's not just cardholder data: The security of all payment data and protecting the integrity of the systems that make it all possible are paramount.
Different agencies oversee different segments and types of businesses, so there are rules to suit those specifically. Some standards are set in place as laws on the books and compliance is mandatory. Compliance with other standards, though, is encouraged because it benefits the industry in general.
Take the card Associations and their complex regulations that everyone on the chain must follow. Businesses are often non-compliant, simply because they don't know the rules of the game.
There are companies, including Integrity Bankcard Consultants, Inc. (IBC) in Naperville, Ill., who assist others in meeting the complex compliance standards set by the card Associations or regulatory agencies. For example, ISOs and their agents must be registered with each Visa Member bank through which they submit merchant applications.
According to David H. Press, Principal and President of IBC, this can become a very expensive proposition, at $10,000 per registration. Because ISOs are not Visa members, they typically do not have access to the hundreds of pages of Association rules and regulations (updated at least twice a year). But the price of non-compliance can be far more costly, due to fines imposed by the Associations. (See Press' article, "ISO Registration in a Nutshell," on page 78 of this issue.)
ISO registration is one issue; compliance with data security requirements is another. The card Associations have extensive regulations that apply to anyone with access to cardholder data and cover all transaction points along the way.
Visa's Cardholder Information Security Program (CISP) and MasterCard's Site Data Protection (SDP) program take the responsibility of protecting the integrity of card data away from consumers and the Associations so that it's incumbent on merchants, processors and member banks to ensure the safe transmittal of information for each and every transaction.
To maintain these high standards, the Associations have created certification requirements for companies that assess the compliance of other companies on their behalf; Visa publishes a list of assessors on its Web site.
One of those companies is TrustCommerce in Irvine, Calif. Following an intensive assessment of its own business practices, TrustCommerce recently earned CISP-compliant status for the second year because its IP-based payment processing solutions meet Visa's standards for protecting transaction data.
To simplify the often agonizing process of meeting multiple Association compliance programs, Chicago-based Ambiron, a consulting firm specializing in compliance, helps merchants and processors meet criteria set by the Associations with one program.
Not only does Ambiron offer an online multi-card compliance tool, its consultants do on-site assessments, analyze credit card storage methods and design solutions for each client's needs. The consultants' recommendations are based on international standards for data security best practices.
According to Andy Bokor, Ambiron's Director of Operations and a Managing Partner, "We've adapted IT to the payment space by applying a very specific methodology. As security practitioners, this is our bread and butter."
Ambiron has developed excellent working relationships with the Associations, and its clients benefit from its high level of interaction with the Associations and familiarity with the regulations to get them in compliance in a shorter length of time-and keep them there.
Following is a brief overview of other aspects concerning the issue of compliance:
A Truckload of Legislation and Regulatory Changes
Bankers Systems Inc. provides compliance tools, technology and services for financial organizations; its clients include more than 12,000 banks, credit unions and other financial institutions. It also sponsors ComplianceHeadquarters.com, a Web site that provides information and tools to the financial services industry.
Bankers Systems employs more than 75 in-house attorneys and compliance specialists, they help their clients and their clients' legal counsel understand the complex issues involved in meeting various regulation requirements, said Chuck Miller, a spokesman for the company. "They sift through and review a vast amount of information."
In 2003, the compliance staff studied 30,000 separate pieces of legislation dealing with compliance at the federal and state levels, including regulations and case law for all 50 states, the District of Columbia and the U.S. government. The staff also followed industry trends and tracked more than 4,000 proposed regulatory changes last year.
Not surprisingly, a survey released in September 2004 that Bankers Systems conducted among 300 U.S. credit unions showed that 29% of respondents identified the rapidly and continually changing regulatory environment as the most significant compliance issue they face, ahead of both Check 21 (16%) and the USA PATRIOT Act (15%).
Uncomplicating Compliance
Taking a proactive and cooperative approach to simplifying the complexity of the issues seems to be a trend in the industry and reflects the general feeling that a robust, secure system works best for all involved. When it comes to uncomplicating compliance, everyone needs to be more proactive.
Even NACHA-The Electronic Payments Association has entered the compliance arena. While this organization oversees the Automated Clearinghouse Network (ACH) and electronic check processing, it is an integral part of an initiative known as the Electronic Authentication Partnership (EAP), launched in December 2003.
Helena Sims, Senior Director, Public/Private Partnerships for NACHA, said this new group's mission is to provide suggested guidelines for interoperability in authentication processes among organizations in the private and public sectors. These include government and non-government agencies, and commercial entities. The idea is that they will all be playing by the same rulebook.
Because authentication as defined by EAP may not always have a financial component to it, the initiative is not tied solely to payments, Sims said, but there are certainly applications for e-commerce inherent in it. In fact, EAP modeled its recommendations on Electronic Benefits Transfer (EBT) best practices for authenticating information over different systems and across state lines.
EAP is developing a system of third-party-issued digital certificates or passwords to EAP members and participants to use when their customers or clients make online inquiries.
EAP's authority to develop and enforce any standards comes from its members' voluntary participation. Its strength lies in the cooperative approach between entities it enourages and from the marketing opportunities it will afford participants, Sims said.
Three main concerns are the security of the system, interoperability and privacy. "It's important that all components and areas follow similar rules for compliance in any instance when you're dealing with someone online," Sims said. "That way, all parties involved are relying on the system they've signed up with. It just looks better."
GO Software is spearheading another effort at a collaborative approach to compliance. The company's products provide connectivity and communications that facilitate processing for transactions made with credit, debit gift, EBT cards and checks, and are integrated to a variety of applications. Because of the company's range of involvement in a variety of processes, it decided to take the initiative toward pulling together industry players to discuss common concerns in security and compliance.
GO Software will host its first security and technology conference Nov. 10 - 11, 2004. A company spokesperson described it as an educational forum intended to put security at the forefront of awareness because so many in the industry are
perplexed by new security regulations and don't understand the potential risks associated with non-compliance.
The goal is to spark a dialogue between POS software developers and the card Associations to help create a more secure payment processing environment.
By bringing together the card Associations, government agencies, processors, vendors, merchants, and especially payment software makers, in this informational format, GO Software hopes that the resulting discussions will benefit commerce in general by establishing simpler processes and recognizing shared, industry-wide goals.
What About the Equipment?
It's not enough that POS terminals are certified to certain processing platforms; equipment incorporating a PIN entry device (PED) must meet standards set by the Associations, too. (As of Oct. 1, 2004, Visa and MasterCard aligned their separate standards into one set of requirements, known as the Payment Card Industry alignment initiative, or PCI.)
Currently, there are only three labs certified by the Associations to assess the equipment; InfoGard Laboratories in San Luis Obispo, Calif. is one of them. InfoGard is accredited to perform evaluations of machines in a number of industries including postage meters, ATMs and payment terminals. Using internationally recognized methods, the lab provides IT security and assurance assessment services testing to customers in 20 countries worldwide.
Douglas Biggs is the PED Program Manager at InfoGard. He said the Visa International PED security requirements were originally published in 1997.
Since then, the basic requirements for online PEDs have undergone minor revisions; offline requirements were added in 2002. The newly aligned PCI standards are intended to make compliance less complicated for equipment manufacturers.
InfoGard evaluates devices based on requirements established by the Associations, which have also set strict evaluation procedures the lab must follow. The typical evaluation requires three samples of the device and takes approximately four weeks to complete, Biggs said.
Upon completion, InfoGard sends a report to the submitting vendor for review and approval. Once it receives permission from the vendor, InfoGard sends the report on to Visa.
Visa will only approve a device that is fully compliant with the requirements, he said. Under Visa PED, approvals are valid for three years.
Biggs said the new PCI requirements are written to accommodate new technologies and solutions to allow manufacturers maximum flexibility. However, he said vendors that are new to the process often have difficulty understanding how to apply the requirements to a device.
InfoGard provides a pre-evaluation service for its clients, Biggs said, that many vendors who take advantage of find helpful. Although InfoGard helps vendors understand how to incorporate the requirements, InfoGard is an independent lab and does not perform design work in order to avoid conflicts of interest, he said.
ATMs also have their own special compliance requirements. Not only must the machines meet standards for transaction security, pending approval by the U.S. Department of Justice, they will have to comply with new Americans With Disabilities Act Accessibility Guidelines (ADAAG).
The final draft of the guidelines spells out ATM accessibility criteria, including audio output, for people with vision impairments. The new requirements are not expected to be mandatory until 2005 at the earliest.
There are also definite risks associated with security-deficient ATMs; based on issuing and acquiring members' concerns, Visa and MasterCard have recently joined the debate. PIN pad security, including the system-wide conversion to Triple Data Encryption Standard (3DES), is probably the biggest issue currently facing the ATM industry.
Palm Desert National Bank (PDNB) is a small community bank with three branches in the Palm Desert, Calif. area and a large e-banking division whose primary line of business is to provide vault cash and management services to more than 13,000 ATMs nationwide.
The national and regional ATM networks require anyone who owns or leases an ATM must work with a sponsoring bank in order to connect to the networks; through its vault cash business, PDNB expanded into sponsoring ATM ISOs.
Liz Nutting is PDNB's Network Sponsorship Manager; part of her job involves conducting audits of its sponsored ISOs across the country to ensure that they comply with network requirements for such issues as signage at ATM locations.
Nutting said the main compliance concern by far is Personal Identification Number (PIN) security. "The networks have established regulations to protect the PIN as it's being transmitted back and forth between the ATM, the processor and the network," she said. "What really protects an ATM transaction is that secret code that only the cardholder knows. It's the crux of ATM security." As a result, the networks developed stringent requirements, in particular, 3DES. Each network has its own set of regulations and there is no official governing body that oversees compliance, but as the sponsoring bank, it's up to PDNB to make sure its ISOs do not compromise the regulations.
It's essential that ISOs follow the proper procedures for encrypting key pads on their machines. The industry-mandated upgrades happen at that point-the key pad is now the encryption unit, Nutting said.
3DES, which encrypts and decrypts codes through mathematical formulas three times, requires that three separate strings of characters be loaded onto each key pad by two different people to create a code that is unique to each ATM.
Processors send the alpha-numeric characters in sealed envelopes to ISOs, most of whom do their own key pad encrypting, according to Nutting.
Among other areas, sponsoring banks are required to track several areas of operations, including the processes ISOs use to encrypt each key pad, which staff members have access to the safe where the codes are stored, and who opens the safe.
Nutting described her role as auditor as being more of a medical examiner conducting check ups rather than as a policeman taking punitive actions. "It's my job to make sure the ISO, and the entire system, remain healthy. I see it more as an educational tool," she said.
If an ISO fails audits and is non-compliant repeatedly, the only recourse sponsoring banks have is to withdraw sponsorship, which Nutting has never seen happen.
"I have yet to see an ISO doing anything blatantly out of compliance, and certainly not intentionally," she said. "I see things that are not completely compliant or not necessarily wise, where they just didn't know all the details.
"The intent of the audits and PIN security measures is to mitigate the risk as best we can, but there's still a risk. We have to keep an ever-vigilant attitude.
"We think we're taking careful steps to really protect the cardholders' interests and the entire system," Nutting said. That's what the goal is."
|